The One-Two Punch of User and Device Trust

Multi-factor authentication (MFA) is a proven method through which to ensure you’re verifying the identity of users who are accessing applications. It uses strong two-factor authentication to ensure your users are who they say they are.

But trusting users is only one component of the trusted access equation. The combination of user trust plus device trust is the one-two punch to minimize risk and ensure your applications are only accessible by devices you allow.

When paired with strong identity verification, adding endpoint visibility allows you to check that your users’ devices meet your security standards before you grant them access, which safeguards against vulnerable or potentially compromised endpoints. Essentially, it means you can trust the devices that are accessing your applications and data.

This is an update on perimeter-focused security models, which consider anything within an organization’s corporate walls (or on the network) as trusted. User and device trust combined essentially puts an individualized perimeter around a user and their device, and it can go wherever they go.

And gaining trust in devices isn’t as difficult as it may sound.

It starts with conducting a device inventory through which you can discover every device that accesses your systems and applications – that goes for devices that are corporate-owned and managed and devices that are employee-owned and unmanaged.

One customer – an enterprise healthcare system – discovered roughly 30,000 more mobile devices than it had previously thought were accessing its environment, which included applications containing patient data. These devices were going largely unchecked and comprised half of the organization’s total device fleet.

Once an inventory is established, robust application access policies add another layer of control. You can set device policies based on a host of factors to define which users can access which applications from which devices, and under what circumstances. For example, you can use device-level policies to restrict or allow access by:

Device type, meaning you can grant access from devices based on whether they’re corporate or employee owned and managed.

Device health, which checks if devices are running up-to-date operating systems and software, browsers and plugins; and whether it has the latest security patches installed

Device security, which examines whether a device has encryption enabled, a passcode lock screen, and if a device is jailbroken or rooted.

Duo takes it one step further by enabling you to notify, warn or block users from applications until they update their devices.

Combining MFA with device trust and access policies doubles up security to neutralize the risks associated with compromised passwords and the exploitation of vulnerabilities of devices that aren’t properly secured or up to date.